Block youtube access

NethServer Version: NethServer release 7.7.1908 (final)
Module: Firewall, IPS, Webproxy/Webfilter, and others

Related to this unsuccessful attempt to get a usable hint I will try it again…
What I want: blocking youtube access for selected clients
What I tried to do:
0. Proxy in mode Transparent-SSL

1. Definition of Firewall objects for the clients to block

2. Definition of customised web filter category “youtube” with links inside
   2.1 Attempt 1:
   youtube.com
youtube.de
googlevideo.com
   2.2. Attempt 2:
   ((^)(\.))youtube\.com$
((^)(\.))youtube\.de$
((^)(\.))googlevideo\.com$

3. create filter:
   

   

   image.png845×648 42.8 KB

4. time condition: always

Result: the defined client has full access, no blocking

What I have to do to make it work?

This kind of user can or cannot have access to other google services?
Was the configuration applied (and squid restarted) after the creation of the rule?
Did you verfied the log?

What I want : blocking youtube access for selected clients

the client should not have access - but it has and will not be blocked.

This works for me. It seems you set everything correctly.

Please check /var/log/ufdbguard/ufdbguardd.log.

You should see entries like the following for the blocked category:

2020-02-12 01:32:08 [30704] BLOCK - 192.168.1.100 src_blockyoutubefortest youtube www.youtube.com:443 CONNECT www.youtube.com

In /var/log/squid/access.log you should see a line like this:

1581467992.503 116 192.168.1.100 TCP_TUNNEL/200 2989 CONNECT www.youtube.com:443 - HIER_DIRECT/

Hi

If NethServer is your DNS Server (And also for the clients), then the easiest might being a DNS Server-Alias, pointing to a virtual Host in NethServer - that contains the “Not Allowed” infos…

The clients would still be able to access it via IP, but any links on the page will not work!

My 2 cents
Andy

Thank you for your hint. Found inside:

2020-02-12 17:49:29 [814] source "src_test-youtube" {
2020-02-12 17:49:29 [814]    ipv4  192.168.3.12
2020-02-12 17:49:29 [814] }

2020-02-12 17:49:29 [814] database status: up to date
2020-02-12 17:49:29 [814] license status: unknown
2020-02-12 17:49:29 [814] configuration status: ok
2020-02-12 17:49:29 [814]
2020-02-12 17:49:29 [814] using OpenSSL library 1.0.2k R (OpenSSL 1.0.2k-fips 26 Jan 2017)
2020-02-12 17:49:29 [814] HTTPS/SSL verification with trusted certificates from file “/var/ufdbguard/blacklists/security/cacerts” and directory “none”
2020-02-12 17:49:29 [814] LC_CTYPE is not set
2020-02-12 17:49:29 [814] LANG is ‘C’
2020-02-12 17:49:29 [814] 32 HTTPS verification threads created.
2020-02-12 17:49:29 [814] time definitions are used; evaluating current ACLs
2020-02-12 17:49:29 [814] next alarm is in 6001 seconds
2020-02-12 17:49:29 [814] Changing daemon status to “started”
2020-02-12 17:49:29 [814] UNIX socket “/tmp/ufdbguardd-03977” successfully created
2020-02-12 17:49:29 [814] listening on UNIX socket “/tmp/ufdbguardd-03977”
2020-02-12 17:49:29 [814] using rwlock for database locking with preference for “writer”
2020-02-12 17:49:29 [814] processor yielding is enabled
2020-02-12 17:49:29 [814] system: x86_64 Linux 3.10.0-1062.12.1.el7.x86_64 nethserver.lan.home on 4 CPUs
2020-02-12 17:49:29 [814] ufdbguardd 1.33.7 started with 68 URL verification threads and 32 TLS/SSL verification threads
2020-02-12 17:49:34 [814] BLOCK - 192.168.3.12 src_test-youtube in-addr 17.248.148.47:443 CONNECT
2020-02-12 17:49:35 [814] BLOCK - 192.168.3.12 src_test-youtube in-addr 17.248.148.8:443 CONNECT
2020-02-12 17:49:36 [814] BLOCK - 192.168.3.12 src_test-youtube in-addr 17.248.148.81:443 CONNECT
2020-02-12 17:49:38 [814] BLOCK - 192.168.3.12 src_test-youtube in-addr 17.248.148.16:443 CONNECT

That’s all, and no limitations to access youtube.

Hi Andy, I’m using an dedicated DNS and DHCP-Server (Pihole). There I can block YouTube easily for selected clients (new feature in Beta5).

But in the end, I don’t just want to block or unblock clients completely - I want to have time-based control esp. overnight.
So the first step is to make sure that clients are blocked at all. Only then can I take the next step.

Regardless of everything, I also have the ambition to understand how Nethserver works and actually use the available features.

There’s got to be somebody who made this use case work.

Do you consider feasible a test without PiHole as DHCP/DNS server?

Then I will bite the bullet

Easiest way to start is change DHCP PiHole to use NethServer as DNS instead of itself…

What I did:

1. Deaktivation DHCP-Server Pihole
2. Activation DHCP-Server Nethserver
3. IP-Reservation identical to former pihole
4. Definition of corresponding DNS-Records

What a havy workload! Why are the DNS records not automatically generated from the IP reservations?

Result: no blocking of YouTube access!

2020-02-12 20:15:20 [2546] BLOCK -                192.168.3.12    src_test-youtube in-addr       159.69.129.2:443 CONNECT 
2020-02-12 20:15:21 [2546] BLOCK -                192.168.3.12    src_test-youtube in-addr       23.211.9.201:443 CONNECT 
2020-02-12 20:15:24 [2546] BLOCK -                192.168.3.12    src_test-youtube in-addr       52.72.64.33:443 CONNECT 
2020-02-12 20:15:50 [2546] BLOCK -                192.168.3.12    src_test-youtube in-addr       66.39.100.167:443 CONNECT 
2020-02-12 20:16:18 [2546] BLOCK -                192.168.3.12    src_test-youtube in-addr       23.211.8.84:443 CONNECT 
2020-02-12 20:16:18 [2546] BLOCK -                192.168.3.12    src_test-youtube in-addr       104.107.210.40:443 CONNECT 
2020-02-12 20:16:19 [2546] BLOCK -                192.168.3.12    src_test-youtube in-addr       52.97.186.114:443 CONNECT 
2020-02-12 20:16:20 [2546] BLOCK -                192.168.3.12    src_test-youtube in-addr       52.97.232.210:443 CONNECT 
2020-02-12 20:16:20 [2546] BLOCK -                192.168.3.12    src_test-youtube in-addr       52.97.232.210:443 CONNECT 
2020-02-12 20:16:20 [2546] BLOCK -                192.168.3.12    src_test-youtube in-addr       52.97.232.210:443 CONNECT 
2020-02-12 20:16:20 [2546] BLOCK -                192.168.3.12    src_test-youtube in-addr       52.97.232.210:443 CONNECT 
2020-02-12 20:16:20 [2546] BLOCK -                192.168.3.12    src_test-youtube in-addr       52.97.232.210:443 CONNECT

Using proxy filter you could try if this works for you.
Categories: Add Category:

• Name: youtube
• Domains:

youtu.be
ytimg.com
googlevideo.com
youtubei.googleapis.com
youtube.googleapis.com
youtube.ad
youtube.ae
youtube.al
youtube.am
youtube.as
youtube.at
youtube.az
youtube.ba
youtube.be
youtube.bf
youtube.bg
youtube.bi
youtube.bj
youtube.bs
youtube.bt
youtube.by
youtube.ca
youtube.cat
youtube.cd
youtube.cf
youtube.cg
youtube.ch
youtube.ci
youtube.cl
youtube.cm
youtube.cn
youtube.co.ao
youtube.co.bw
youtube.co.ck
youtube.co.cr
youtube.co.id
youtube.co.il
youtube.co.in
youtube.co.jp
youtube.co.ke
youtube.co.kr
youtube.co.ls
youtube.co.ma
youtube.co.mz
youtube.co.nz
youtube.co.th
youtube.co.tz
youtube.co.ug
youtube.co.uk
youtube.co.uz
youtube.co.ve
youtube.co.vi
youtube.co.za
youtube.co.zm
youtube.co.zw
youtube.com
youtube.com.af
youtube.com.ag
youtube.com.ai
youtube.com.ar
youtube.com.au
youtube.com.bd
youtube.com.bh
youtube.com.bn
youtube.com.bo
youtube.com.br
youtube.com.bz
youtube.com.co
youtube.com.cu
youtube.com.cy
youtube.com.do
youtube.com.ec
youtube.com.eg
youtube.com.es
youtube.com.et
youtube.com.fj
youtube.com.gh
youtube.com.gi
youtube.com.gr
youtube.com.gt
youtube.com.hk
youtube.com.jm
youtube.com.kh
youtube.com.kw
youtube.com.lb
youtube.com.ly
youtube.com.mm
youtube.com.mt
youtube.com.mx
youtube.com.my
youtube.com.na
youtube.com.ng
youtube.com.ni
youtube.com.np
youtube.com.om
youtube.com.pa
youtube.com.pe
youtube.com.pg
youtube.com.ph
youtube.com.pk
youtube.com.pr
youtube.com.py
youtube.com.qa
youtube.com.sa
youtube.com.sb
youtube.com.sg
youtube.com.sl
youtube.com.sv
youtube.com.tj
youtube.com.tr
youtube.com.tw
youtube.com.ua
youtube.com.uy
youtube.com.vc
youtube.com.vn
youtube.cv
youtube.cz
youtube.de
youtube.dj
youtube.dk
youtube.dm
youtube.dz
youtube.ee
youtube.es
youtube.fi
youtube.fm
youtube.fr
youtube.ga
youtube.ge
youtube.gg
youtube.gl
youtube.gm
youtube.gr
youtube.gy
youtube.hn
youtube.hr
youtube.ht
youtube.hu
youtube.ie
youtube.im
youtube.iq
youtube.is
youtube.it
youtube.je
youtube.jo
youtube.kg
youtube.ki
youtube.kz
youtube.la
youtube.li
youtube.lk
youtube.lt
youtube.lu
youtube.lv
youtube.md
youtube.me
youtube.mg
youtube.mk
youtube.ml
youtube.mn
youtube.ms
youtube.mu
youtube.mv
youtube.mw
youtube.ne
youtube.nl
youtube.no
youtube.nr
youtube.nu
youtube.pl
youtube.pn
youtube.ps
youtube.pt
youtube.ro
youtube.rs
youtube.ru
youtube.rw
youtube.sc
youtube.se
youtube.sh
youtube.si
youtube.sk
youtube.sm
youtube.sn
youtube.so
youtube.sr
youtube.st
youtube.td
youtube.tg
youtube.tl
youtube.tm
youtube.tn
youtube.to
youtube.tt
youtube.vg
youtube.vu
youtube.ws

Some redirections might bypass this, showing youtube page(s) but unable to play videos.
Remember to clear browser cache when testing it.

you’re the best!
Now it works. Thank you very much.

Now it’s time to switch back to earlier configuration…
@dnutan awesome

I’ve done that too. Works fine.
tomorrow I will test the time based access control. If this works too, I will write a how-to.

I had a very confusing experience…
Sometimes the blocking worked, sometimes not. Especially not on smartphones. I then tracked the individual requests and noticed that ggpht.com is additionally called. I added this domain to my custom category and it seems to help. But I have to keep watching this.

Keep verifying. Any day someone can add another domain…

Continued after restart here:Experience with fresh Nethserver-Installation